recordsansible/ara
Code Issues Proposed changes

Remove Ansible roles from the repository

Browse Source 
These have been moved out to an Ansible collection:
https://github.com/ansible-community/ara-collection

Leaves a README.rst to tell users where to look for for a while.

Because the existing Zuul CI jobs relied on these roles, this also
changes the Zuul config to use the jobs that are used to test the
collection instead.

Related: https://github.com/ansible-community/ara/issues/71
Change-Id: I1c573d8677d36cfd431101f1f181253c1cce3bc1
This commit is contained in:
David Moreau Simard 2021-02-23 18:58:04 -05:00
parent f8b6092336
commit f4a40db53e
No known key found for this signature in database
GPG Key ID: 7D4729EC4E64E8B7
42 changed files with 18 additions and 1886 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
.zuul.d/jobs.yaml
View File

@ -45,58 +45,6 @@
ara_api_secure_logging: false ara_api_secure_logging: false
post-run: tests/zuul_post_logs.yaml post-run: tests/zuul_post_logs.yaml
- job:
name: ara-api-database-backends
parent: ara-integration-base
required-projects:
- name: github.com/ansible/ansible
override-checkout: stable-2.9
pre-run: tests/zuul_pre_multinode_networking.yaml
- job:
name: ara-api-postgresql
parent: ara-api-database-backends
nodeset: ara-database-server-multinode
description: |
Deploys the ARA API server on Ubuntu 18.04, Fedora 32 as well as CentOS 8
and tests it against a central PostgreSQL server installed on CentOS 8.
The job exercises the ara_api Ansible role, the ARA Ansible plugins, the
ARA API clients as well as the API itself.
run: tests/with_postgresql.yaml
post-run: tests/zuul_post_with_postgresql.yaml
- job:
name: ara-api-mysql
parent: ara-api-database-backends
nodeset: ara-database-server-multinode
description: |
Deploys the ARA API server on Ubuntu 18.04, Fedora 32 as well as CentOS 8
and tests it against a central MySQL server installed on CentOS 8.
The job exercises the ara_api Ansible role, the ARA Ansible plugins, the
ARA API clients as well as the API itself.
run: tests/with_mysql.yaml
post-run: tests/zuul_post_with_mysql.yaml
- job:
name: ara-api-distributed-sqlite
parent: ara-api-database-backends
nodeset: ara-multinode
description: |
Deploys the ARA API server on Ubuntu 18.04, Fedora 32 as well as CentOS 8
and tests it using the distributed sqlite database backend.
run: tests/with_distributed_sqlite.yaml
# TODO: The job should build a package from current source and test that package
# instead of the package in the stable distribution.
- job:
name: ara-api-fedora-packages
parent: ara-integration-base
nodeset: ara-fedora-32
description: |
Deploys the ARA API server on Fedora 32 using distribution packages for
ARA and Ansible.
run: tests/with_fedora_packages.yaml
- job: - job:
name: ara-ansible-integration-base name: ara-ansible-integration-base
parent: ara-integration-base parent: ara-integration-base

14
.zuul.d/project.yaml
View File

@ -5,11 +5,10 @@
- docs-on-readthedocs - docs-on-readthedocs
check: check:
jobs: jobs:
- ara-api-distributed-sqlite: - ara-role-api-distributed-sqlite
voting: false - ara-role-api-mysql
- ara-api-mysql - ara-role-api-postgresql
- ara-api-postgresql - ara-role-api-fedora-packages:
- ara-api-fedora-packages:
voting: false voting: false
- ara-basic-ansible-devel: - ara-basic-ansible-devel:
voting: false voting: false
@ -20,8 +19,9 @@
- ara-tox-py3 - ara-tox-py3
gate: gate:
jobs: jobs:
- ara-api-mysql - ara-role-api-distributed-sqlite
- ara-api-postgresql - ara-role-api-mysql
- ara-role-api-postgresql
- ara-basic-ansible-2.8 - ara-basic-ansible-2.8
- ara-basic-ansible-2.7 - ara-basic-ansible-2.7
- ara-container-images - ara-container-images

11
roles/README.rst Normal file
View File

@ -0,0 +1,11 @@
Roles have been moved
=====================
The Ansible roles ara_api, ara_frontend_nginx as well as ara_web used to live here but have since been moved to an
`Ansible collection <https://github.com/ansible-community/ara-collection>`_.
This collection is also available on `galaxy.ansible.com <https://galaxy.ansible.com/recordsansible/ara>`_.
You can install the collection by running ``ansible-galaxy collection install recordsansible.ara``
This directory will eventually be removed.

121
roles/ara_api/README.rst
View File

@ -1,121 +0,0 @@
ansible-role-ara-api
====================
.. image:: ../../doc/source/_static/ansible-role-ara-api.png
This Ansible role provides a framework for installing one or many instances of
`ARA Records Ansible <https://github.com/ansible-community/ara>`_ in a variety of
opinionated deployment topologies.
It is currently tested and supported against Ubuntu 18.04, Fedora 30 and CentOS 8.
Role Variables
--------------
See `defaults/main.yaml <https://github.com/ansible-community/ara/blob/master/roles/ara_api/defaults/main.yaml>`_.
.. literalinclude:: ../../roles/ara_api/defaults/main.yaml
:language: yaml+jinja
:start-after: www.gnu.org
TL;DR
-----
Playbook that runs the role with defaults:
.. code-block:: yaml+jinja
- name: Install ARA with default settings and no persistent API server
hosts: all
gather_facts: yes
roles:
- ara_api
What the role ends up doing by default:
- Installs required packages (``git``, ``virtualenv``, etc.) if superuser privileges are available
- Stores everything in the home directory of the user in ``~/.ara``
- Retrieves ARA from source
- Installs ARA in a virtualenv
- Generates a random secret key if none are already configured or provided
- Sets up API configuration in ``~/.ara/server/settings.yaml``
- Runs the API SQL migrations (``ara-manage migrate``)
About deployment topologies
---------------------------
This Ansible role is designed to support different opinionated topologies that
can be selected with role variables.
For example, the following role variables are used to provide the topology from
the ``TL;DR`` above:
- ``ara_api_install_method: source``
- ``ara_api_wsgi_server: null``
- ``ara_api_database_engine: django.db.backends.sqlite3``
- ``ara_api_web_server: null``
The intent is that as the role gains support for other install methods,
wsgi servers, database engines or web servers, it will be possible to
mix and match according to preference or requirements.
Perhaps ARA could be installed from pypi and run with gunicorn, nginx and mysql.
Or maybe it could be installed from distribution packages and set up to run
with apache, mod_wsgi and postgresql.
Or any combination of any of those.
Example playbooks
-----------------
Install ARA and set up the API to be served by a persistent gunicorn service:
.. code-block:: yaml+jinja
- name: Install ARA and set up the API to be served by gunicorn
hosts: all
gather_facts: yes
vars:
ara_api_wsgi_server: gunicorn
roles:
- ara_api
Install ARA and set up the API to be served by nginx in front of gunicorn:
.. code-block:: yaml+jinja
# Requires superuser privileges to set up nginx and the ara-api service
# The API will be reachable at http://api.ara.example.org
- name: Install ARA and set up the API to be served by nginx in front of gunicorn
hosts: all
gather_facts: yes
vars:
ara_api_frontend_server: nginx
ara_api_wsgi_server: gunicorn
ara_api_fqdn: api.ara.example.org
ara_api_allowed_hosts:
- api.ara.example.org
ara_api_frontend_vhost: custom_vhost.conf.j2
roles:
- ara_api
.. _include_delimiter_end:
Copyright
---------
.. code-block:: text
Copyright (c) 2019 Red Hat, Inc.
ARA Records Ansible is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ARA Records Ansible is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.

206
roles/ara_api/defaults/main.yaml
View File

@ -1,206 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# By default, tasks in this role that could result in configuration or
# credentials being printed by Ansible are set up to hide the output to prevent
# sensitive information from being exposed.
# Setting ara_api_secure_logging to false will make Ansible print the raw,
# unfiltered result of these tasks.
# Note that it does not have any impact on tasks that are recorded by ARA.
# It is only for the output when running this specific role.
ara_api_secure_logging: true
# Root directory where every file for the ARA installation are located
ara_api_root_dir: "{{ ansible_user_dir }}/.ara"
# Directory where logs are written to
ara_api_log_dir: "{{ ara_api_root_dir }}/logs"
# Whether or not ara should be installed in a virtual environment.
# This defaults to true to prevent conflicting with system or distribution
# python packages.
ara_api_venv: true
# When using a virtualenv, path to where it will be installed
ara_api_venv_path: "{{ ara_api_root_dir }}/virtualenv"
# How ARA will be installed
# - source [default]: installs from a local or remote git repository
# - distribution: installs from distribution packages, if available
# - pypi [planned]: installs from pypi
ara_api_install_method: source
# When installing from source, the URL or filesystem path where the git source
# repository can be cloned from.
ara_api_source: "https://opendev.org/recordsansible/ara"
# When installing from source, location where the source repository will be checked out to.
ara_api_source_checkout: "{{ ara_api_root_dir }}/git/ara"
# Version of ARA to install
# When installing from source, this can be a git ref (tag, branch, commit, etc)
# When installing from PyPi, it would be a version number that has been released.
# When using "latest" as the source version, HEAD will be used
# When using "latest" as the pypi version, the latest release will be used
ara_api_version: master
# The frontend/web server for serving the ARA API
# It is recommended to specify a web server when deploying a production environment.
# - null [default]: No frontend server will be set up.
# - nginx: Nginx will be configured in front of the WSGI application server.
# - apache [planned]
ara_api_frontend_server: null
# Path to a custom vhost configuration jinja template
# The vhost configuration templates provided by the role are simple by design
# and are not sufficient to cover every use cases.
# Use this variable if you need to have your own custom nginx or apache configuration.
ara_api_frontend_vhost: null
# The WSGI server for running ARA's API server
# - null [default]: No persistent WSGI application server will be set up. Only the offline API client will work.
# - gunicorn: gunicorn will be installed and set up to run the API as a systemd service.
# - mod_wsgi [planned]
ara_api_wsgi_server: null
# Address and port on which the wsgi server will bind
# Changing this value means you might need to adjust "ara_api_allowed_hosts" and
# "ara_api_cors_origin_whitelist".
ara_api_wsgi_bind: "127.0.0.1:8000"
# Amount of worker processes for the wsgi server
# Recommended default formula by gunicorn: https://docs.gunicorn.org/en/stable/design.html#how-many-workers
ara_api_wsgi_workers: "{{ ansible_processor_count * ansible_processor_cores * ansible_processor_threads_per_core * 2 + 1 }}"
# When using a frontend server, the domain or address it will be listening on
ara_api_fqdn: "{{ ansible_default_ipv4['address'] | default(ansible_default_ipv6['address']) }}"
####################################
# ara API configuration settings
# For more information, see documentation: https://ara.readthedocs.io
####################################
# ARA_BASE_DIR - Default directory for storing data and configuration
ara_api_base_dir: "{{ ara_api_root_dir }}/server"
# ARA_SETTINGS - Path to an ARA API configuration file
ara_api_settings: "{{ ara_api_base_dir }}/settings.yaml"
# ARA_ENV - Environment to load configuration for
ara_api_env: default
# ARA_READ_LOGIN_REQUIRED - Whether authentication is required for reading data
ara_api_read_login_required: false
# ARA_WRITE_LOGIN_REQUIRED - Whether authentication is required for writing data
ara_api_write_login_required: false
# ARA_PAGE_SIZE - Amount of results returned per page by the API
ara_api_page_size: 100
# ARA_LOG_LEVEL - Log level of the different components
ara_api_log_level: INFO
# ARA_LOGGING - Python logging configuration
ara_api_logging:
disable_existing_loggers: false
formatters:
normal:
format: '%(asctime)s %(levelname)s %(name)s: %(message)s'
handlers:
console:
class: logging.handlers.TimedRotatingFileHandler
formatter: normal
level: "{{ ara_api_log_level }}"
filename: "{{ ara_api_log_dir }}/server.log"
when: 'midnight'
interval: 1
backupCount: 30
loggers:
ara:
handlers:
- console
level: "{{ ara_api_log_level }}"
propagate: 0
root:
handlers:
- console
level: "{{ ara_api_log_level }}"
version: 1
# ARA_CORS_ORIGIN_ALLOW_ALL - django-cors-headerss CORS_ORIGIN_WHITELIST_ALLOW_ALL setting
ara_api_cors_origin_allow_all: false
# ARA_CORS_ORIGIN_WHITELIST - django-cors-headerss CORS_ORIGIN_WHITELIST setting
ara_api_cors_origin_whitelist:
- "http://127.0.0.1:8000"
- "http://localhost:3000"
# ARA_CORS_ORIGIN_REGEX_WHITELIST - django-cors-headerss CORS_ORIGIN_REGEX_WHITELIST setting
ara_api_cors_origin_regex_whitelist: []
# ARA_SERVER_ALLOWED_HOSTS - Djangos ALLOWED_HOSTS setting
ara_api_allowed_hosts:
- "127.0.0.1"
- "localhost"
- "::1"
- "{{ ara_api_fqdn }}"
# ARA_DEBUG - Django's DEBUG setting
# It is not recommended to run with debug enabled in production.
ara_api_debug: false
# ARA_SECRET_KEY - Django's SECRET_KEY setting
# Note: If no key is provided, a random one will be generated once and persisted
ara_api_secret_key: null
# ARA_DISTRIBUTED_SQLITE - Whether to enable distributed sqlite backend
ara_api_distributed_sqlite: false
# ARA_DISTRIBUTED_SQLITE_PREFIX - Prefix to delegate to the distributed sqlite backend
ara_api_distributed_sqlite_prefix: ara-report
# ARA_DISTRIBUTED_SQLITE_ROOT - Root under which sqlite databases are expected
ara_api_distributed_sqlite_root: /var/www/logs
# ARA_DATABASE_ENGINE - Djangos ENGINE database setting
ara_api_database_engine: "{{ ara_api_distributed_sqlite | ternary('ara.server.db.backends.distributed_sqlite', 'django.db.backends.sqlite3') }}"
# ARA_DATABASE_NAME - Djangos NAME database setting
ara_api_database_name: "{{ ara_api_base_dir }}/ansible.sqlite"
# ARA_DATABASE_USER - Djangos USER database setting
ara_api_database_user: null
# ARA_DATABASE_PASSWORD - Djangos PASSWORD database setting
ara_api_database_password: null
# ARA_DATABASE_HOST - Djangos HOST database setting
ara_api_database_host: null
# ARA_DATABASE_PORT - Djangos PORT database setting
ara_api_database_port: null
# ARA_DATABASE_CONN_MAX_AGE - Django's CONN_MAX_AGE database setting
ara_api_database_conn_max_age: 0
# ARA_TIME_ZONE - Time zone used when storing and returning results
# Note: the default provided by ARA is dynamic and is set to the local system
# timezone but Ansible doesn't provide, for example, an ansible_timezone fact
# that we could use here. With that in mind, UTC is the best default for now.
ara_api_time_zone: UTC

15
roles/ara_api/files/ara-gunicorn.te
View File

@ -1,15 +0,0 @@
module ara-gunicorn 1.0;
require {
type init_t;
type user_home_t;
class file { create execute execute_no_trans ioctl lock map open read write };
class lnk_file { getattr read };
}
#============= init_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow init_t user_home_t:file map;
allow init_t user_home_t:file { create execute execute_no_trans ioctl lock open read write };
allow init_t user_home_t:lnk_file { getattr read };

26
roles/ara_api/handlers/main.yaml
View File

@ -1,26 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: restart ara-api
become: yes
service:
name: ara-api
state: restarted
when:
- ara_api_wsgi_server is not none
- ara_api_service_enabled is not changed

35
roles/ara_api/meta/main.yaml
View File

@ -1,35 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
galaxy_info:
author: David Moreau-Simard
description: Self-contained role to set up ARA and it's components
license: GPLv3
min_ansible_version: 2.7
platforms:
- name: Fedora
versions:
- 29
- name: Ubuntu
versions:
- bionic
galaxy_tags:
- ansible
- ara
dependencies: []

112
roles/ara_api/tasks/config.yaml
View File

@ -1,112 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Verify if a configuration file exists
stat:
path: "{{ ara_api_settings }}"
register: settings_stat
# If no secret key has been provided and this isn't the first time we are
# running, recover the secret key from the existing configuration file.
- when:
- ara_api_secret_key is none
- settings_stat.stat.exists
block:
- name: Read the existing configuration file
command: cat "{{ ara_api_settings }}"
changed_when: false
no_log: "{{ ara_api_secure_logging }}"
register: settings_contents
- name: Recover existing secret key
vars:
config: "{{ settings_contents.stdout | from_yaml }}"
set_fact:
ara_api_secret_key: "{{ config[ara_api_env]['SECRET_KEY'] }}"
no_log: "{{ ara_api_secure_logging }}"
# If no secret key has been provided and this is the first time we are
# running, generate a new random secret key that will be persisted in the
# configuration file.
- when:
- ara_api_secret_key is none
- not settings_stat.stat.exists
block:
- name: Generate a random secret key
environment:
PATH: "{{ path_with_virtualenv | default('/usr/bin:/usr/local/bin') }}"
command: python3 -c "from django.utils.crypto import get_random_string; print(get_random_string(length=50))"
no_log: "{{ ara_api_secure_logging }}"
register: generated_key
- name: Set ara_api_secret_key
set_fact:
ara_api_secret_key: "{{ generated_key.stdout }}"
no_log: "{{ ara_api_secure_logging }}"
- name: Validate distributed sqlite configuration
assert:
that:
- "ara_api_database_engine == 'ara.server.db.backends.distributed_sqlite'"
msg: |
The database engine should be 'ara.server.db.backends.distributed_sqlite'
when 'ara_api_distributed_sqlite' is true.
when: ara_api_distributed_sqlite
# Put configuration in a format we can write to a file
- name: Reconcile configuration
vars:
reconciled_configuration:
ALLOWED_HOSTS: "{{ ara_api_allowed_hosts }}"
BASE_DIR: "{{ ara_api_base_dir }}"
CORS_ORIGIN_ALLOW_ALL: "{{ ara_api_cors_origin_allow_all }}"
CORS_ORIGIN_WHITELIST: "{{ ara_api_cors_origin_whitelist }}"
CORS_ORIGIN_REGEX_WHITELIST: "{{ ara_api_cors_origin_regex_whitelist }}"
DATABASE_ENGINE: "{{ ara_api_database_engine }}"
DATABASE_NAME: "{{ ara_api_database_name }}"
DATABASE_USER: "{{ ara_api_database_user }}"
DATABASE_PASSWORD: "{{ ara_api_database_password }}"
DATABASE_HOST: "{{ ara_api_database_host }}"
DATABASE_PORT: "{{ ara_api_database_port }}"
DATABASE_CONN_MAX_AGE: "{{ ara_api_database_conn_max_age }}"
DEBUG: "{{ ara_api_debug }}"
DISTRIBUTED_SQLITE: "{{ ara_api_distributed_sqlite }}"
DISTRIBUTED_SQLITE_PREFIX: "{{ ara_api_distributed_sqlite_prefix }}"
DISTRIBUTED_SQLITE_ROOT: "{{ ara_api_distributed_sqlite_root }}"
LOGGING: "{{ ara_api_logging }}"
LOG_LEVEL: "{{ ara_api_log_level }}"
SECRET_KEY: "{{ ara_api_secret_key }}"
READ_LOGIN_REQUIRED: "{{ ara_api_read_login_required }}"
WRITE_LOGIN_REQUIRED: "{{ ara_api_write_login_required }}"
PAGE_SIZE: "{{ ara_api_page_size }}"
TIME_ZONE: "{{ ara_api_time_zone }}"
set_fact:
ara_api_configuration: "{'{{ ara_api_env }}': {{ reconciled_configuration }} }"
no_log: "{{ ara_api_secure_logging }}"
- name: Set up the ARA API configuration file
copy:
content: |
---
# Managed by the ara Ansible role
{{ ara_api_configuration | to_nice_yaml(indent=2) }}
dest: "{{ ara_api_settings }}"
mode: 0640
notify:
- restart ara-api
no_log: "{{ ara_api_secure_logging }}"

22
roles/ara_api/tasks/database_engine/ara.server.db.backends.distributed_sqlite.yaml
View File

@ -1,22 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# This ensures the WSGI application servers are set up to use the right endpoint
- name: Set WSGI application to distributed_sqlite
set_fact:
_ara_api_wsgi_application: "ara.server.wsgi:distributed_sqlite"

54
roles/ara_api/tasks/database_engine/django.db.backends.mysql.yaml
View File

@ -1,54 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Retrieve list of missing required packages for mysql
set_fact:
_mysql_missing_packages: "{{ ara_api_mysql_packages | difference(ansible_facts.packages.keys()) }}"
# Only attempt to elevate privileges if there are any missing packages
- when: _mysql_missing_packages | length > 0
block:
- name: Install required packages
become: yes
package:
name: "{{ ara_api_mysql_packages }}"
state: present
rescue:
- name: Fail due to missing packages
fail:
msg: "Failed to elevate privileges and install missing required packages. Install the following packages before running this role again: {{ _mysql_missing_packages | join(' ') }}"
# Django requires mysqclient when using mysql
# https://docs.djangoproject.com/en/2.2/ref/databases/#mysql-db-api-drivers
- name: Ensure mysqlclient is installed
pip:
name: mysqlclient
state: present
virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
virtualenv_command: /usr/bin/python3 -m venv
- name: Run SQL migrations
environment:
ARA_SETTINGS: "{{ ara_api_settings }}"
PATH: "{{ path_with_virtualenv | default('/usr/bin:/usr/local/bin') }}"
command: ara-manage migrate
run_once: true
register: _ara_sql_migrations
retries: 3
delay: 5
until: _ara_sql_migrations is succeeded

54
roles/ara_api/tasks/database_engine/django.db.backends.postgresql.yaml
View File

@ -1,54 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Retrieve list of missing required packages for postgresql
set_fact:
_postgresql_missing_packages: "{{ ara_api_postgresql_packages | difference(ansible_facts.packages.keys()) }}"
# Only attempt to elevate privileges if there are any missing packages
- when: _postgresql_missing_packages | length > 0
block:
- name: Install required packages
become: yes
package:
name: "{{ ara_api_postgresql_packages }}"
state: present
rescue:
- name: Fail due to missing packages
fail:
msg: "Failed to elevate privileges and install missing required packages. Install the following packages before running this role again: {{ _postgresql_missing_packages | join(' ') }}"
# Django requires psycopg2 when using postgresql
# https://docs.djangoproject.com/en/2.2/ref/databases/#postgresql-notes
- name: Ensure psycopg2 is installed
pip:
name: psycopg2
state: present
virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
virtualenv_command: /usr/bin/python3 -m venv
- name: Run SQL migrations
environment:
ARA_SETTINGS: "{{ ara_api_settings }}"
PATH: "{{ path_with_virtualenv | default('/usr/bin:/usr/local/bin') }}"
command: ara-manage migrate
run_once: true
register: _ara_sql_migrations
retries: 3
delay: 5
until: _ara_sql_migrations is succeeded

30
roles/ara_api/tasks/database_engine/django.db.backends.sqlite3.yaml
View File

@ -1,30 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure the database directory exists
become: "{{ (ansible_user_dir in ara_api_database_name) | ternary(false, true) }}"
file:
path: "{{ ara_api_database_name | dirname }}"
state: directory
- name: Run SQL migrations
become: "{{ (ansible_user_dir in ara_api_database_name) | ternary(false, true) }}"
environment:
ARA_SETTINGS: "{{ ara_api_settings }}"
PATH: "{{ path_with_virtualenv | default('/usr/bin:/usr/local/bin') }}"
command: ara-manage migrate

29
roles/ara_api/tasks/install/distribution.yaml
View File

@ -1,29 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Validate if the distribution is supported
fail:
msg: |
{{ ansible_distribution }} does not support installation from distribution packages yet.
when: ara_distribution_packages | length == 0
- name: Install ara from distribution packages
become: yes
package:
name: "{{ ara_distribution_packages }}"
state: present

35
roles/ara_api/tasks/install/source.yaml
View File

@ -1,35 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Prepare git repository for ara
git:
repo: "{{ ara_api_source }}"
dest: "{{ ara_api_source_checkout }}"
version: "{{ (ara_api_version == 'latest') | ternary('HEAD', ara_api_version) }}"
- name: Install ara
pip:
name: "{{ ara_api_source_checkout }}[server]"
state: present
virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
virtualenv_command: /usr/bin/python3 -m venv
- name: Prefix the virtualenv bin directory to PATH
set_fact:
path_with_virtualenv: "{{ ara_api_venv_path }}/bin:{{ ansible_env.PATH }}"
when: ara_api_venv | bool

44
roles/ara_api/tasks/main.yaml
View File

@ -1,44 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Include OS family/distribution specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- name: Ensure pre-requirements for running are met
include_tasks: pre-requirements.yaml
- name: Include installation of ARA
include_tasks: "install/{{ ara_api_install_method }}.yaml"
- name: Include configuration of the ARA API
include_tasks: config.yaml
- name: Include configuration of the database engine
include_tasks: "database_engine/{{ ara_api_database_engine }}.yaml"
- name: Include installation of the WSGI backend server
include_tasks: "wsgi_server/{{ ara_api_wsgi_server }}.yaml"
when: ara_api_wsgi_server is not none
- name: Include installation of the frontend server
include_role:
name: "ara_frontend_{{ ara_api_frontend_server }}"
when: ara_api_frontend_server is not none

84
roles/ara_api/tasks/pre-requirements.yaml
View File

@ -1,84 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# EL8 doesn't install a python3 interpreter by default.
# System packages rely on /usr/libexec/platform-python and Ansible will use it
# but we want to use the non-system one. Install it if it's missing.
- name: Ensure python3 is installed for EL8
package:
name: python3
state: present
become: yes
when:
- ansible_distribution | lower in ["redhat", "centos"]
- ansible_distribution_major_version == "8"
# The ansible_python_version fact might end up retrieving the version of
# python2 so we need to explicitely get the version of python 3 available.
- name: Validate availability of Python 3.5
command: /usr/bin/python3 -c 'import sys; print(".".join(map(str, sys.version_info[:2])))'
changed_when: false
failed_when: false
register: python_version
- name: Fail pre-emptively if running Python <3.5
fail:
msg: "Python >=3.5 is required to run ARA"
when: python_version.stdout is version('3.5', '<') or python_version.rc != 0
- name: Get list of installed packages
package_facts:
manager: "auto"
no_log: "{{ ara_api_secure_logging }}"
- name: Retrieve list of missing required packages
set_fact:
ara_api_missing_packages: "{{ ara_api_required_packages | difference(ansible_facts.packages.keys()) }}"
# Only attempt to elevate privileges if there are any missing packages
- when: ara_api_missing_packages | length > 0
block:
- name: Install required packages
become: yes
package:
name: "{{ ara_api_required_packages }}"
state: present
rescue:
- name: Fail due to missing packages
fail:
msg: "Failed to elevate privileges and install missing required packages. Install the following packages before running this role again: {{ ara_missing_packages | join(' ') }}"
# The following tasks dynamically enable escalated privileges only when the
# directory to create is not located in the user's home directory.
- name: Ensure ara_api_root_dir exists
file:
path: "{{ ara_api_root_dir }}"
state: directory
mode: 0755
- name: Ensure ara_api_base_dir exists
file:
path: "{{ ara_api_base_dir }}"
state: directory
mode: 0750
- name: Ensure ara_api_log_dir exists
file:
path: "{{ ara_api_log_dir }}"
state: directory
mode: 0750

63
roles/ara_api/tasks/wsgi_server/gunicorn.yaml
View File

@ -1,63 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Install gunicorn
pip:
name: gunicorn
state: present
virtualenv: "{{ ara_api_venv | bool | ternary(ara_api_venv_path, omit) }}"
virtualenv_command: /usr/bin/python3 -m venv
- when: ansible_os_family == "RedHat"
block:
- name: Transfer gunicorn selinux type enforcement file
copy:
src: ara-gunicorn.te
dest: "{{ ara_api_root_dir }}/ara-gunicorn.te"
# TODO: Only compile a new module and policy package when necessary
- name: Compile ara-gunicorn selinux module
command: "checkmodule -M -m -o {{ ara_api_root_dir }}/ara-gunicorn.mod {{ ara_api_root_dir }}/ara-gunicorn.te"
- name: Compile ara-gunicorn selinux policy package
command: "semodule_package -o {{ ara_api_root_dir }}/ara-gunicorn.pp -m {{ ara_api_root_dir }}/ara-gunicorn.mod"
- become: yes
block:
# TODO: Only install the selinux module if it has changed
- name: Install selinux policy package
command: "semodule -i {{ ara_api_root_dir }}/ara-gunicorn.pp"
when: ansible_os_family == "RedHat"
- name: Set up systemd unit file for gunicorn to run the ARA API
template:
src: ara-api.service.j2
dest: /etc/systemd/system/ara-api.service
owner: root
group: root
mode: 0644
notify:
- restart ara-api
- name: Enable and start ara-api with gunicorn
service:
name: ara-api
state: started
enabled: yes
daemon_reload: yes
register: ara_api_service_enabled

20
roles/ara_api/templates/ara-api.service.j2
View File

@ -1,20 +0,0 @@
[Unit]
Description=ARA Records Ansible API with gunicorn
After=network.target
[Service]
User={{ ansible_user_id }}
RuntimeDirectory=ara-api
WorkingDirectory={{ ara_api_root_dir }}
Environment=ARA_SETTINGS={{ ara_api_settings }}
{% if ara_api_venv %}
ExecStart={{ ara_api_venv_path }}/bin/gunicorn --workers={{ ara_api_wsgi_workers }} --bind {{ ara_api_wsgi_bind }} {{ _ara_api_wsgi_application | default('ara.server.wsgi') }}
{% else %}
ExecStart=gunicorn --workers={{ ara_api_wsgi_workers }} --bind {{ ara_api_wsgi_bind }} {{ _ara_api_wsgi_application | default('ara.server.wsgi') }}
{% endif %}
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

38
roles/ara_api/vars/CentOS.yaml
View File

@ -1,38 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# ARA has not been packaged for CentOS or RHEL yet
ara_distribution_packages: []
ara_api_required_packages:
- git
- python3
- policycoreutils-python-utils
ara_api_postgresql_packages:
- postgresql
- postgresql-devel
- python3-devel
- gcc
ara_api_mysql_packages:
- mariadb
- mariadb-connector-c-devel
- redhat-rpm-config
- python3-devel
- gcc

1
roles/ara_api/vars/Debian.yaml
View File

@ -1 +0,0 @@
Ubuntu.yaml

39
roles/ara_api/vars/Fedora.yaml
View File

@ -1,39 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
ara_distribution_packages:
- ara
- ara-server
ara_api_required_packages:
- git
- python3-virtualenv
- python3-libselinux
- policycoreutils-python-utils
ara_api_postgresql_packages:
- postgresql
- postgresql-devel
- gcc
ara_api_mysql_packages:
- mariadb
- mariadb-connector-c-devel
- redhat-rpm-config
- python3-devel
- gcc

1
roles/ara_api/vars/RedHat.yaml
View File

@ -1 +0,0 @@
CentOS.yaml

38
roles/ara_api/vars/Ubuntu.yaml
View File

@ -1,38 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# ARA has not been packaged for Ubuntu yet
ara_distribution_packages: []
ara_api_required_packages:
- git
- python3-venv
- python3-setuptools
- python-pkg-resources
- python3-pkg-resources
ara_api_postgresql_packages:
- postgresql
- postgresql-server-dev-10
- gcc
ara_api_mysql_packages:
- mariadb-client
- libmariadbclient-dev
- python3-dev
- gcc

65
roles/ara_frontend_nginx/README.rst
View File

@ -1,65 +0,0 @@
ansible-role-ara-frontend-nginx
===============================
A role for deploying a minimal installation of nginx for ara-api and ara-web.
This role is not meant to be used on it's own, it should be included by the
``ara_api`` and ``ara_web`` roles in order to have the necessary variables
available.
It is currently tested and supported against Ubuntu 18.04 and Fedora 29.
Role Variables
--------------
- ``ara_api_frontend_vhost``: Path to a custom nginx vhost configuration file for ara-api.
- ``ara_web_frontend_vhost``: Path to a custom nginx vhost configuration file for ara-web.
Example playbooks
-----------------
Install ARA and set up the API to be served by nginx with a custom vhost configuration
in front of gunicorn::
# The API will be reachable at http://api.ara.example.org
# The web interface will be reachable at http://web.ara.example.org
# The web interface will be set up to query api.ara.example.org.
- name: Deploy ARA API server and web interface
hosts: all
gather_facts: yes
vars:
# ara_api
ara_api_frontend_server: nginx
ara_api_wsgi_server: gunicorn
ara_api_fqdn: api.ara.example.org
ara_api_allowed_hosts:
- api.ara.example.org
ara_api_frontend_vhost: custom_api_vhost.conf.j2
# ara_web
ara_web_fqdn: web.ara.example.org
ara_web_api_endpoint: "http://api.ara.example.org"
ara_web_frontend_server: nginx
ara_web_frontend_vhost: custom_web_vhost.conf.j2
roles:
- ara_api
- ara_web
Copyright
---------
::
Copyright (c) 2019 Red Hat, Inc.
ARA Records Ansible is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ARA Records Ansible is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.

24
roles/ara_frontend_nginx/handlers/main.yaml
View File

@ -1,24 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: restart nginx
become: yes
service:
name: nginx
state: restarted
when: ara_nginx_enabled is not changed

80
roles/ara_frontend_nginx/tasks/main.yaml
View File

@ -1,80 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Include OS family/distribution specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- become: yes
block:
- name: Install nginx
package:
name: nginx
state: present
- name: Set selinux boolean to allow nginx to reverse proxy
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
when: ansible_os_family == "RedHat"
- when: ara_api_fqdn is defined
block:
- name: Set up the ARA API nginx vhost
template:
src: "{{ ara_api_frontend_vhost | default('ara-api.conf.j2', True) }}"
dest: "{{ ara_nginx_config_path }}/ara-api.conf"
notify:
- restart nginx
- name: Enable the API nginx configuration on Debian-like systems
file:
src: "{{ ara_nginx_config_path }}/ara-api.conf"
dest: /etc/nginx/sites-enabled/ara-api.conf
state: link
when: ansible_os_family == 'Debian'
notify:
- restart nginx
- when: ara_web_fqdn is defined
block:
- name: Set up the ARA API nginx vhost
template:
src: "{{ ara_web_frontend_vhost | default('ara-web.conf.j2', True) }}"
dest: "{{ ara_nginx_config_path }}/ara-web.conf"
notify:
- restart nginx
- name: Enable the web nginx configuration on Debian-like systems
file:
src: "{{ ara_nginx_config_path }}/ara-web.conf"
dest: /etc/nginx/sites-enabled/ara-web.conf
state: link
when: ansible_os_family == 'Debian'
notify:
- restart nginx
- name: Enable and start nginx
service:
name: nginx
state: started
enabled: yes
register: ara_nginx_enabled

39
roles/ara_frontend_nginx/templates/ara-api.conf.j2
View File

@ -1,39 +0,0 @@
upstream ara_api {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response
server {{ ara_api_wsgi_bind }} fail_timeout=0;
}
server {
listen 80;
keepalive_timeout 5;
server_name {{ ara_api_fqdn }};
access_log /var/log/nginx/{{ ara_api_fqdn }}_access.log;
error_log /var/log/nginx/{{ ara_api_fqdn }}_error.log;
# There's nothing at /, redirect it to the actual API for convenience
location / {
return 301 http://{{ ara_api_fqdn }}/api/v1/;
}
location /static {
expires 7d;
add_header Cache-Control "public";
}
# Everything, including static files, is served by the backend
location ~ {
# checks if the file exists, if not found proxy to app
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://ara_api;
}
}

33
roles/ara_frontend_nginx/templates/ara-web.conf.j2
View File

@ -1,33 +0,0 @@
{% if ara_web_dev_server %}
upstream ara_web {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response
server {{ ara_web_dev_server_bind_address }}:{{ ara_web_dev_server_bind_port }} fail_timeout=0;
}
{% endif %}
server {
listen 80;
keepalive_timeout 5;
server_name {{ ara_web_fqdn }};
root {{ ara_web_static_dir }};
access_log /var/log/nginx/{{ ara_web_fqdn }}_access.log;
error_log /var/log/nginx/{{ ara_web_fqdn }}_error.log;
{% if ara_web_dev_server %}
location / {
# checks if the file exists, if not found proxy to app
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://ara_web;
}
{% endif %}
}

21
roles/ara_frontend_nginx/vars/CentOS.yaml
View File

@ -1,21 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
ara_nginx_user: nginx
ara_nginx_group: nginx
ara_nginx_config_path: /etc/nginx/conf.d

1
roles/ara_frontend_nginx/vars/Debian.yaml
View File

@ -1 +0,0 @@
Ubuntu.yaml

21
roles/ara_frontend_nginx/vars/Fedora.yaml
View File

@ -1,21 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
ara_nginx_user: nginx
ara_nginx_group: nginx
ara_nginx_config_path: /etc/nginx/conf.d

1
roles/ara_frontend_nginx/vars/RedHat.yaml
View File

@ -1 +0,0 @@
CentOS.yaml

21
roles/ara_frontend_nginx/vars/Ubuntu.yaml
View File

@ -1,21 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
ara_nginx_user: www-data
ara_nginx_group: www-data
ara_nginx_config_path: /etc/nginx/sites-available

112
roles/ara_web/README.rst
View File

@ -1,112 +0,0 @@
ansible-role-ara-web
====================
.. image:: ../../doc/source/_static/ansible-role-ara-web.png
This Ansible role provides a framework for installing one or many instances of
`ara-web <https://github.com/ansible-community/ara-web>`_ in a variety of
opinionated deployment topologies.
It is currently tested and supported against Ubuntu 18.04 and Fedora 29.
Role Variables
--------------
See `defaults/main.yaml <https://github.com/ansible-community/ara/blob/master/roles/ara_web/defaults/main.yaml>`_.
.. literalinclude:: ../../roles/ara_web/defaults/main.yaml
:language: yaml+jinja
:start-after: www.gnu.org
TL;DR
------
This is what the role does by default out of the box:
- Retrieves ara-web from source
- Installs nodejs LTS (v10)
- Installs ara-web dependencies with npm
- Configures an ara-server API endpoint in ara-web's ``public/config.json`` file
- Sets up a systemd unit file for running ara-web with the embedded development server
About deployment topologies
---------------------------
This Ansible role is designed to support different opinionated topologies that
can be selected with role variables.
For example, the following role variables are defaults used to provide the
topology from the ``TL;DR`` above:
- ``ara_web_install_method: source``
- ``ara_web_dev_server: true``
- ``ara_web_frontend_server: null``
The intent is that as the role gains support for other install methods or
frontend servers, it will be possible to mix and match according to preference
or requirements.
Example playbooks
-----------------
Deploy the ARA API and web client on the same machine with defaults:
.. code-block:: yaml+jinja
- name: Deploy ARA API and web client
hosts: all
gather_facts: yes
vars:
# ara_api
ara_api_fqdn: api.ara.example.org
ara_api_wsgi_server: gunicorn
ara_api_allowed_hosts:
- api.ara.example.org
ara_api_cors_origin_whitelist:
- "http://web.ara.example.org"
# ara_web
ara_web_fqdn: web.ara.example.org
ara_web_frontend_server: nginx
ara_web_api_endpoint: "http://api.ara.example.org"
roles:
- ara_api
- ara_web
Deploy only ara-web behind nginx and point it to a remote API endpoint:
.. code-block:: yaml+jinja
# Note: Don't forget to add the web fqdn in the remote cors_origin_whitelist.
# Otherwise, the web client might not be authorized to query the API.
- name: Deploy ara-web for remote API endpoint
hosts: all
gather_facts: yes
vars:
ara_web_fqdn: web.ara.example.org
ara_web_api_endpoint: "http://api.remoteara.example.org"
ara_web_frontend_server: nginx
ara_web_frontend_vhost: custom-web-vhost.conf.j2
roles:
- ara_web
.. _include_delimiter_end:
Copyright
---------
::
Copyright (c) 2019 Red Hat, Inc.
ARA Records Ansible is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ARA Records Ansible is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.

71
roles/ara_web/defaults/main.yaml
View File

@ -1,71 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# Root of where files will be stored for ara-web
ara_web_root_dir: "{{ ansible_user_dir }}/.ara"
# When using static builds without the dev server, path to ara-web static assets
ara_web_static_dir: "{{ ara_web_root_dir }}/www/ara-web"
# How ara-web will be installed
# - source (default): installs from a local or remote git repository specified by ara_web_source
# - npm (planned): installs from npm
ara_web_install_method: source
# When installing from source, the location of the remote or local git repository
ara_web_source: "https://opendev.org/recordsansible/ara-web"
# Location where ara-web will be checked out
ara_web_source_checkout: "{{ ara_web_root_dir }}/git/ara-web"
# Location where node_modules will be installed
ara_web_node_modules_dir: "{{ ara_web_source_checkout }}"
# Version of ara-web to install
# This can be a git ref (tag, branch, commit) when installed from source
# When using "latest" as the source version, HEAD will be used
ara_web_version: latest
# Whether to use the embedded react web server or not
# Setting this to false means ara-web will be statically built instead
ara_web_dev_server: true
# When the development server is enabled, the address it will be listening on
ara_web_dev_server_bind_address: 127.0.0.1
# When the development server is enabled, the port it will be listening on
ara_web_dev_server_bind_port: 3000
# Version of nodesource nodejs repositories to install
ara_web_nodejs_version: 10
# ara-server API endpoint to use
ara_web_api_endpoint: "http://127.0.0.1:8000"
# The frontend server for serving ara-web
# - null (default): none, users are expected to use the development server directly or deploy their own web server
# - nginx: when performance of the development server is an issue
# - apache (planned)
ara_web_frontend_server: null
# When using a frontend server, you can override the default vhost configuration
# template by specifying the path to your own template file.
ara_web_frontend_vhost: null
# When using a frontend server, the hostname to listen on
ara_web_fqdn: "{{ ansible_default_ipv4['address'] }}"

31
roles/ara_web/handlers/main.yaml
View File

@ -1,31 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
# Is there a better way ? Static files are not created with the httpd context
- name: restore selinux context for static files
become: "{{ (ansible_user_dir in ara_web_static_dir) | ternary(false, true) }}"
command: "restorecon -Rv {{ ara_web_static_dir }}"
when: ansible_os_family == "RedHat"
- name: restart ara-web
become: true
service:
name: ara-web
state: restarted
when:
- ara_web_service_enabled is not changed

36
roles/ara_web/meta/main.yaml
View File

@ -1,36 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
galaxy_info:
author: David Moreau-Simard
description: Role to set up ara-web
license: GPLv3
min_ansible_version: 2.7
platforms:
- name: Fedora
versions:
- 29
- name: Ubuntu
versions:
- bionic
galaxy_tags:
- ansible
- ara
- ara-web
dependencies: []

107
roles/ara_web/tasks/install/source.yaml
View File

@ -1,107 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure libselinux-python is installed for Red Hat derivatives
become: yes
package:
name: libselinux-python
state: present
when: ansible_os_family == "RedHat"
- name: Ensure git is installed
become: yes
package:
name: git
state: present
# TODO: node_modules and public/config.json are local to the git repository so this is not idempotent
- name: Prepare git repository for ara-web
git:
repo: "{{ ara_web_source }}"
dest: "{{ ara_web_source_checkout }}"
version: "{{ (ara_web_version == 'latest') | ternary('HEAD', ara_web_version) }}"
force: yes
- name: Install ara-web npm dependencies
npm:
path: "{{ ara_web_source_checkout }}"
global: no
production: yes
state: present
notify:
- restart ara-web
- name: Configure ara-server API endpoint for ara-web
vars:
web_config:
apiURL: "{{ ara_web_api_endpoint }}"
copy:
content: "{{ web_config | to_nice_json(indent=2) }}"
dest: "{{ ara_web_source_checkout }}/public/config.json"
mode: 0644
notify:
- restart ara-web
- when: ara_web_dev_server | bool
become: yes
block:
- name: Set up systemd unit file for ara-web
template:
src: ara-web.service.j2
dest: /etc/systemd/system/ara-web.service
owner: root
group: root
mode: 0644
notify:
- restart ara-web
- name: Enable and start ara-web
service:
name: ara-web
state: started
enabled: yes
daemon_reload: yes
register: ara_web_service_enabled
- when: not ara_web_dev_server | bool
block:
- name: Stop and disable ara-web
become: yes
service:
name: ara-web
state: stopped
enabled: no
- name: Ensure systemd unit file is not configured
become: yes
file:
path: /etc/systemd/system/ara-web.service
state: absent
- name: Run a production build of ara-web
command: npm run build
args:
chdir: "{{ ara_web_source_checkout }}"
creates: "{{ ara_web_source_checkout }}/build"
- name: Synchronize build to web directory
become: "{{ (ansible_user_dir in ara_web_static_dir) | ternary(false, true) }}"
command: |
rsync -rlog --delete-delay {{ ara_web_source_checkout }}/build/ {{ ara_web_static_dir }}
notify:
- restore selinux context for static files

28
roles/ara_web/tasks/main.yaml
View File

@ -1,28 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Install nodejs
include_tasks: nodejs.yaml
- name: Include ara-web installation
include_tasks: install/{{ ara_web_install_method }}.yaml
- name: Include frontend server installation
include_role:
name: "ara_frontend_{{ ara_web_frontend_server }}"
when: ara_web_frontend_server is not none

53
roles/ara_web/tasks/nodejs.yaml
View File

@ -1,53 +0,0 @@
---
# Copyright (c) 2019 Red Hat, Inc.
#
# This file is part of ARA Records Ansible.
#
# ARA Records Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ARA Records Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ARA Records Ansible. If not, see <http://www.gnu.org/licenses/>.
- when: ansible_os_family == "Debian"
become: yes
block:
- name: Install apt-transport-https
package:
name: apt-transport-https
state: present
- name: Install nodesource repository key
apt_key:
url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
- name: Install nodesource apt source repository
apt_repository:
repo: "deb-src https://deb.nodesource.com/node_{{ ara_web_nodejs_version }}.x {{ ansible_distribution_release }} main"
state: present
- name: Install nodesource apt repository
apt_repository:
repo: "deb https://deb.nodesource.com/node_{{ ara_web_nodejs_version }}.x {{ ansible_distribution_release }} main"
state: present
update_cache: yes
- name: Install Nodesource yum repository
become: yes
package:
name: "https://rpm.nodesource.com/pub_{{ ara_web_nodejs_version }}.x/fc/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/nodesource-release-fc{{ ansible_distribution_major_version }}-1.noarch.rpm"
state: present
when: ansible_os_family == "RedHat"
- name: Install nodejs
become: yes
package:
name: nodejs
state: present

16
roles/ara_web/templates/ara-web.service.j2
View File

@ -1,16 +0,0 @@
[Unit]
Description=ARA Records Ansible web client
After=network.target
[Service]
PIDFile=/run/ara-web/pid
User={{ ansible_user_id }}
RuntimeDirectory=ara-web
WorkingDirectory={{ ara_web_source_checkout }}
ExecStart=/usr/bin/npm start --host {{ ara_web_dev_server_bind_address }} --port {{ ara_web_dev_server_bind_port }}
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target